📝 Best Practice from the Smart Home Industry: Migration from Docker Swarm to Kubernetes. Explore this journey → close
  • English
    • English
    • 简体中文
    1. 1.Experience account: demo1 / Demo123
    2. 2.This account is only allowed to view parts of UI
    3. 3.It's recommended that install KubeSphere in your environment

You are viewing documentation for KubeSphere version:v3.0.0

KubeSphere v3.0.0 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

  1. Documentation / 
  2. Access Control and Account Management / 
  3. OAuth2 Identity Providers

Access Control and Account Management

Last updated:
    Edit

    OAuth2 Identity Providers

    Overview

    You can integrate external OAuth2 providers with KubeSphere using the standard OAuth2 protocol. After the account authentication by external OAuth2 servers, accounts can be associated with KubeSphere.

    oauth2

    GitHubIdentityProvider

    KubeSphere provides you with an example of configuring GitHubIdentityProvider for OAuth2 authentication.

    Parameter settings

    To set IdentityProvider parameters, edit the ConfigMap of kubesphere-config in the namespace of kubesphere-system.

    1. Execute the following command.

      kubectl -n kubesphere-system edit cm kubesphere-config

    2. This is an example configuration for your reference.

      apiVersion: v1
data:
  kubesphere.yaml: |
    authentication:
      authenticateRateLimiterMaxTries: 10
      authenticateRateLimiterDuration: 10m0s
      loginHistoryRetentionPeriod: 7d
      maximumClockSkew: 10s
      multipleLogin: true
      kubectlImage: kubesphere/kubectl:v1.0.0
      jwtSecret: "jwt secret"
      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
        - name: github
          type: GitHubIdentityProvider
          mappingMethod: auto
          provider:
            clientID: 'Iv1.547165ce1cf2f590'
            clientSecret: 'c53e80ab92d48ab12f4e7f1f6976d1bdc996e0d7'
            endpoint:
              authURL: 'https://github.com/login/oauth/authorize'
              tokenURL: 'https://github.com/login/oauth/access_token'
            redirectURL: 'https://ks-console/oauth/redirect'
            scopes:
            - user
    ...

    3. Add the configuration block for GitHubIdentityProvider in authentication.oauthOptions.identityProviders. See the following table for more information about different fields.

      Field Description
      name The unique name of IdentityProvider.
      type The type of IdentityProvider plugin. GitHubIdentityProvider is a default implementation type.
      mappingMethod The account mapping configuration. You can use different mapping methods, such as:
      - auto: The default value. The user account will be automatically created and mapped if the login is successful.
      - lookup: Using this method requires you to manually provision accounts.
      For more information, see the parameters in GitHub.
      clientID The OAuth2 client ID.
      clientSecret The OAuth2 client secret.
      authURL The OAuth2 endpoint.
      tokenURL The OAuth2 endpoint.
      redirectURL The redirected URL to ks-console.

    4. Restart ks-apiserver to update the configuration.

      kubectl -n kubesphere-system rollout restart deploy ks-apiserver

    5. Access the login page of the KubeSphere console and you can see the option Log in with GitHub.

      github-login-page

      github-authentication

      logged-in

    6. After you log in to the console, the account can be invited to a workspace to work in one or more projects.

    Previous Previous : Configure Authentication
    What’s on this Page